[scponly] Troubles with scponly-4.8
Kaleb Pederson
kaleb.pederson at gmail.com
Thu Oct 28 16:52:26 EDT 2010
On Thursday, October 28, 2010 12:12:56 pm you wrote:
> Ok so I ran the ldconfig command and the output was:
>
> [root at garytest139 home]# ldconfig -r /apps/home/garytest/ -v
... snipping quite a bit
> ldconfig: /lib64/libcom_err.so.2 is not a symbolic link
> ldconfig: /usr/lib64/libz.so.1 is not a symbolic link
> ldconfig: /usr/lib64/libkrb5.so.3 is not a symbolic link
> ldconfig: /usr/lib64/libk5crypto.so.3 is not a symbolic link
> ldconfig: /usr/lib64/libgssapi_krb5.so.2 is not a symbolic link
> ldconfig: /usr/lib64/libkrb5support.so.0 is not a symbolic link
Remove each of the above files. They were copied into your chroot by the jail script but they don't have the full versions on them.
> Further more, when I tried to connect and watched the secure log, I see the
> following and no longer anything about the file/directory not existing:
...
> Oct 28 19:05:56 garytest139 scponly[5388]:
> running: /usr/libexec/openssh/sftp-server (username: garytest(813),
> IP/port: 192.168.9.11 38447 22)
> Oct 28 19:05:56 garytest139 scponly[5388]: about to exec
> "/usr/libexec/openssh/sftp-server" (username: garytest(813), IP/port:
> 192.168.9.11 38447 22)
> Oct 28 15:05:56 garytest139 sshd[5385]: pam_unix(sshd:session): session
> closed for user garytest
The sftp-server is now running, but it's missing pieces.
Looking at the 5575 log it looks like you're missing a number of NSS pieces:
connect(3, {sa_family=AF_FILE, path="/var/run/nscd/socket"...}, 110) = -1 ENOENT (No such file or directory)
open("/lib64/tls/x86_64/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib64/tls/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib64/x86_64/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/lib64/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/x86_64/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/tls/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/x86_64/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
open("/usr/lib64/libnss_compat.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
I.e. libnss_compat.so.2 isn't being found, although your earlier output indicates it's at /lib/libnss_compat.so.2. If your system is like mine, /lib should be a symlink to /lib64. If so, then delete /lib, symlink it to /lib64, and then rerun cplibdeps so it copies the shared libraries back over, and then re-run ldconfig so it regenerates the necessary symlinks.
open("/lib64/libnss_files.so.2", O_RDONLY) = -1 ENOENT (No such file or directory)
This doesn't show up as a dependency of sftp-server, but it's being sought for, so maybe it should be copied into the chroot. Once the other stuff is in place, it might not matter, but it won't hurt to copy it in (before you rerun ldconfig).
These NSS problems eventually give us this:
write(2, "No user found for uid 813", 25) = -1 EPIPE (Broken pipe)
And that's where the sftp-server fails. Note that you'll need to copy in /etc/nsswitch.conf and perhaps a few other files as well. I usually recommend a cron job for /etc/passwd (but not the shadow files) so that the sftp-server can resolve uids.
Closer yet.
--Kaleb
More information about the scponly
mailing list